b'          U.S. Department of Energy\n          Office of Inspector General\n          Office of Audit Services\n\n\n\n\nAudit Report\n\nResolution  of Significant\nFacility Contractor        Finding and\n                       Acquisition\nInvestigation Recommendations\nManagement       of Information\nTechnology Hardware\n\n\n\n\nDOE/IG-\nDOE/IG-0768                             November 2002\n                                          June 2007\n\x0c                            Department of Energy\n                                 Washington, DC 20585\n\n                                    J u n e 2 2 , 2007\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                   +e\n                         Greg ry . n e man\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "Facility Contractor\n                         Acquisition and Management of Information Technology\n                         Hardware"\n\nBACKGROUND\n\nThe Department of Energy relies heavily on information technology (IT) to accomplish\nits science, weapons, energy supply and environmental mission objectives. In the past\nthree years, the Department has spent more than $400 million on IT hardware to facilitate\nthese efforts. Items routinely acquired by the Department included desktop and laptop\ncomputers and associated peripherals, personal digital assistants, and network\ninfrastructure equipment.\n\nPrior Office of Inspector General audits have disclosed nunlerous problems with the\nDepartment\'s n~anagementof IT resources. For example, our report on Management of\nthe Department\'s Desktop Computer Software Enterprise License Agreements (DOEIIG-\n071 8, January 2006) found that the Department spent more than necessary to acquire and\nmaintain software due to the lack of a complex-wide acquisition and maintenance\nstrategy. Similarly, our review of Information Technology Support Services at the\nDepurtment of Energy\'s Opemting Contrirctors (DOEIIG-0725, April 2006) determined\nthat, had a complex-wide acquisition strategy been used to obtain support services, the\nDepartment could have achieved significant savings. Because of its sizeable investment\nin this area, we initiated this audit to determine whether the Department had effectively\nmanaged its acquisition and control of IT hardware.\n\nRESULTS OF AUDIT\n\nOur review established that certain Department of Energy facility contractors had not\nadequately managed the acquisition and control of IT hardware. A nun~berof contractors\nhad not consistently taken advantage of opportunities to reduce acquisition and support\ncosts, addressed security concerns related to certain aging systems, or ensured that\naccountability was maintained over sensitive computers and devices. In particular, we\nobserved that:\n\n        Five of the seven sites we reviewed had not developed or fully implemented\n        hardware specifications and brand standards for computers and related\n        peripherals, directly contributing to unnecessary expenditures of at least\n        $4.7 million over a three-year period;\n\x0c         Widely divergent hardware replacement cycles contributed to problems ranging\n         from supporting outdated computers to replacing equipnient before the end of its\n         service life;\n\n         Sites had not always taken advantage of opportunities to achieve volume\n         purchase discounts. For example, one contractor acquired computers from 96\n         different vendors many without competition; and,\n                           -\n\n\n\n\n         Several sites did not track certain sensitive IT equipment, including laptop\n         computers and personal digital assistants.\n\nThese problems occurred because the Department had not developed a coordinated\napproach to IT hardware acquisition, nianagenient, and control. In particular, the\nDepartment had not implemented corporate-level standards for hardware nor had it\nrequired contractors to adopt or adhere to locally-developed standards. Acquisition\nstrategies for IT hardware, designed to take advantage of savings available through\nvolume purchases or consolidated buying opportunities, had not been deployed. In\naddition, the sites reviewed had not established centralized mechanisms for approving\npurchases or adopted a consistent and effective approach for maintaining accountability\nover IT hardware.\n\nWithout improvenients in the acquisition and control of IT hardware, issues such as those\nidentified during our review could result in the unnecessary expenditure of funds to the\ndetriment of program operations. The failure to maintain accountability over computers\nand other sensitive assets could also increase the risk of misuse, theft, or other diversion\nof Government property. Proper inventory controls are critical to maintaining effective\naccountability over information technology hardware, particularly in light of the recent\ndisclos~~rethat the Department could not account for over 1,400 laptops either lost, stolen\nor misplaced over the past six years.\n\nTo its credit, the Department had taken action to establish hardware standards at\nHeadquarters through its Department of Energy Common Operating Environment. In\naddition, we noted that certain contractors have worked together to establish purchasing\nagreements for selected items of IT hardware. These are positive steps, but additional\naction is required. As such, we made several recommendations designed to increase the\nefficiency and effectiveness of the Department\'s hardware acquisition and management\nprocess.\n\nMANAGEMENT REACTION\n\nManagement concurred that action is necessary to improve the Department\'s practices for\nacquiring commodity-type IT hardware and indicated that it pIans to take certain actions\nrelative to the recommendations in our report. In particular, management indicated that\none of the actions to be taken in response to our report will be to develop guidance that\nencourages aggregation of requirements for IT hardware intended to lead to cost savings.\n\x0cIn addition, a review will be performed to determine the need for strengthened\nrequirements over IT asset management.\n\nIn separate comments, the National Nuclear Security Administration (NNSA) indicated\nthat it did not concur with several of our recommendations; however, it provided details\nof alternative actions that will be taken which are consistent with our recommendations.\nFor example, NNSA management noted that its facility contractors recently agreed to\nwork cooperatively using common procurement tools in the development of complex-\nwide acquisition vehicles for comnion commodities. In addition, minimum hardware\nconfigurations developed by the Department will be made available to contractors for\ntheir consideration. Management\'s comments are included in Appendix 4.\n\nAttachment\n\ncc: Deputy Secretary\n    Acting Administrator, National Nuclear Security Administration\n    Acting Under Secretary for Energy\n    Under Secretary for Science\n    Chief Information Officer\n    Chief of Staff\n\x0cREPORT ON FACILITY CONTRACTOR ACQUISITION AND\nMANAGEMENT OF INFORMATION TECHNOLOGY HARDWARE\n\nTABLE OF\nCONTENTS\n\n\n  Acquisition and Manaqement of IT Hardware\n\n  Details of Finding .................................................................................................... 1\n\n  Recommendations and Comments .............................................................................. 7\n\n\n  Appendices\n\n  I . Objective, Scope, and Methodology ...................................................................... 9\n\n  2. Potential Savings .................................................................................................. 1 1\n\n  3. Prior Reports .......................................................................................................   12\n\n  4. Management Comments ...................................................................................... 13\n\x0cAcquisition and Manaqernent of IT Hardware\n\n\nHardware Acquisition   The Department of Energy\'s (Department) facility\nand Control            contractors had not always adequately managed the\n                       acquisition and accountability of its infornlation technology\n                       (IT) hardware. Although critical to controlling acquisition\n                       and support costs, we noted that standards for hardware\n                       specifications and brands, acquisition practices, and\n                       equipment replacement rates had not been developed or\n                       were not completely effective. Controls over\n                       accountability for certain conlputers and other sensitive\n                       equipment were also inadequate.\n\n                                           Hardware Standards\n\n                       Facility contractors at the seven sites reviewed had not\n                       always developed or fully implemented standard hardware\n                       specifications - such as brand, processing speed, and\n                       memory capacity - for computers and related peripherals.\n                       As demonstrated by a recent Department of Defense\n                       (DOD) initiative, decreasing the number of hardware\n                       brands and configurations can result in significant\n                       reductions in acquisition and support costs (cost avoidance\n                       at DOD of $53 nillion in 2004 and 2005).\n\n                       At five of seven sites, brand standards had not been fully\n                       developed for conlputers and peripherals. Absent such\n                       standards - based on our review of purchases made during\n                       Fiscal Years (FY) 2003 through 2005 - we found that\n                       desktop and laptop computers were acquired from at least\n                       70 different manufacturers at the seven sites reviewed. For\n                       example, although Lawrence Berkeley National Laboratory\n                       (Berkeley) established recommended brands for desktop\n                       and laptop conlputers, purchasers did not follow the\n                       recommendation for about 62 percent of the computers\n                       acquired during FY 2005. As generally accepted by\n                       industry officials, elimination of multiple brands of IT\n                       hardware has the potential to significantly reduce annual\n                       support costs.\n\n                       We also noted that despite having similar missions,\n                       standard configurations and the ultimate price paid for\n                       computers for the three National Nuclear Security\n                       Administration (NNSA) national laboratories reviewed -\n                       Sandia, Lawrence Livermore National Laboratory\n                       (Livermore), and Los Alamos National Laboratory (Los\n                       Alamos) - varied widely. For example, the price of the\n\n\n\nPage 1                                                        Details of Finding\n\x0c         high-end standard configuration of one brand of computer\n         ranged from $1,825 at Livermore to $3,743 at Sandia.\n         Absent firm standards, average desktop acquisition costs -\n         when applied to the approximately 32,000 desktops\n         purchased over a recent three-year period amounted to an\n                                                    -\n\n\n\n         overall variance of about $3.4 million in acquisition costs.\n\n         Problems with adhering to standards were not limited to\n         NNSA sites, but also affected organizations managed by\n         the Office of Science (Science). For example, while the\n         Oak Ridge National Laboratory (ORNL) had established\n         configuration standards for desktops and laptops, we\n         observed that these standards were rarely used. Even\n         though the site Chief Information Officer (CIO) estimated\n         that one-half of the employees were candidates for\n         standardized computers, we found that nearly all of the 522\n         desktop and laptop computers that we reviewed at ORNL\n         exceeded current locally established standards. While the\n         price of standardized laptops at the site ranged from $1,2 16\n         to $1,499, the average price paid was actually $2,246, or 50\n         percent more than permitted by ORNL standards.\n         Purchases of non-standard computers and devices at ORNL\n         resulted in the unnecessary expenditure of about $1.2\n         million. Similarly, we noted that the average price paid for\n         the recommended brand of desktop at Berkeley was $1,656\n         - about 33 percent more than the site\'s suggested cost for a\n         standard computer.\n\n         Additionally, four of the sites reviewed had not developed\n         standards for peripherals and acquired a wide range of\n         devices, often at disparate prices. For example, Los\n         Alamos acquired at least 60 different types of portable\n         storage devices, including various flash drives and portable\n         music players. The site acquired various types of flash\n         drives in FY 2005 with the same storage capacity, but with\n         prices that ranged from $68 to $252 per unit, contributing\n         to unnecessary expenditures of about $93,000 at the sites\n         reviewed in just that one year. At Livermore, brand\n         standards for peripherals had not been developed and the\n         site acquired at least 17 different brands of printers. In\n         contrast, a similar site only utilized four different printer\n         brands.\n\n\n\n\nPage 2                                           Details of Finding\n\x0c                             Acquisition Practices\n\n         Sites reviewed had not always developed and implen~ented\n         acquisition standards or centralized mechanisms designed\n         to minimize the cost associated with acquiring IT hardware.\n         For example, Berkeley officials stated that organizational\n         units were not required to compete purchases under\n         $10,000, and that they used that authority to acquire\n         computers from a variety of different vendors. During the\n         three-year period we reviewed, Berkeley purchased desktop\n         and laptop computers from at least 96 different vendors - a\n         practice that effectively prevented it from taking advantage\n         of volume discounts. While ORIVL had established a\n         hardware acquisition program, numerous hardware\n         purchases were made outside of the system. In particular,\n         the site acquired hardware through separate purchase\n         agreements and by using credit cards, acquisition\n         techniques that were not governed by agreed-upon\n         standards and which did not permit the buyer to obtain\n         quantity purchase discounts. In contrast, the Y-12 National\n         Security Complex (Y-12) required that the CIO review all\n         hardware acquisitions to ensure compatibility with existing\n         standards and purchase agreements.\n\n         The lack of common acquisition standards or negotiated\n         buying opportunities for peripheral devices also contributed\n         to unnecessary expenditures. For example, sites reviewed\n         spent $1 million more than necessary for computer\n         monitors in FY 2005 by paying varying prices for the same\n         or similar monitors. We also observed that two sites paid\n         between $1 00 and $460 for the same portable storage\n         device obtained within a three-month period. These issues,\n         similar to those described in several information\n         technology-related Office of Inspector General reports,\n         highlight the fact that the Department\'s limited use of bulk\n         purchase agreements for IT products and services\n         negatively impacts its ability to leverage buying power and\n         reduce costs.\n\n                           Hardware Replacenlent\n\n         Despite a FY 2000 Department-sponsored study and\n         industry best practices, six of the seven facility contractors\n         included in our review had not established standard cycles\n         for replacing IT hardware and had widely varying\n         frequencies of hardware replacements that frequently\n         differed from industry standards. At Y-12, for example, the\n\n\nPage 3                                           Details of Finding\n\x0c         current computer replacement frequency was almost 10\n         years, more than double the recommended industry\n         standard. Site officials estimated that this resulted in 16\n         percent of the computers being obsolete, a situation that\n         made it difficult for them to control maintenance costs and\n         eliminate or reduce security vulnerabilities. In contrast, the\n         average replacement rate of a computer at Sandia was three\n         years.\n\n         Additionally, the Savannah River Site (Savannah River)\n         was the only site reviewed that chose to lease IT hardware.\n         While this may be a cost-effective approach to maintaining\n         desktop and laptop computers, the approach is not cost\n         effective for peripherals such as monitors. In particular, the\n         site incurred up to $2 million in excess expenditures over\n         the last three years by replacing its computer monitors\n         more frequently than necessary. Although industry experts\n         estimate a seven year useful life for monitors, Savannah\n         River\'s replacement under the current lease agreement\n         occurred every three years, well short of the expected life.\n         As noted in the Department-sponsored study, establishing a\n         standard technology replacement rate can enhance\n         standardization and help optimize costs.\n\n                               Inventory Control\n\n         Despite a number of past problen~sand recommendations\n         for corrective actions, our review disclosed that contractors\n         were not consistently or effectively maintaining\n         accountability over assets. Specifically, not all of the sites\n         reviewed tracked computers until disposition. Rather,\n         Berkeley and Sandia officials stated that equipment is\n         generally removed from their inventory systems after five\n         years regardless of whether the hardware was still in use\n         and with no consideration for the type of information\n         contained on the computers. Such practices increase the\n         risk that lost or stolen systems containing sensitive or\n         personal information will not be identified during the\n         inventory process.\n\n         Thresholds for tracking hardware also varied widely at the\n         sites reviewed, including the requirements for tracking\n         equipment which could potentially contain sensitive\n         information such as desktops, laptops, and personal digital\n         assistants. For example, even though Sandia reported\n         losses of 249 computers and other high risk devices\n         between FYs 2003 and 2005, the Department permitted the\n\nPage 4                                           Details of Finding\n\x0c                       site to track only those items costing over $1,000. Setting\n                       this threshold effectively excluded more than 500\n                       con~putersand 3,100 personal digital assistants from\n                       inventory tracking. This practice was especially troubling\n                       given that the site reported the highest percentage of\n                       missing items of any site reviewed and the recent emphasis\n                       by the Office of Management and Budget for ensuring\n                       security over mobile devices. In addition, at Savannah\n                       River, contractors were also not required to account for\n                       certain sensitive peripheral equipment if the value was less\n                       than $5,000 - more than 10 times the threshold used at\n                       most sites.\n\nHardware Acquisition   These problems occurred because the Department had not\nand Control Approach   developed a coordinated approach to facility contractor IT\n                       hardware acquisition and control. In particular, corporate-\n                       level standards for hardware had not been developed and\n                       contractors were not always required to adopt or adhere to\n                       locally-developed standards. Additionally, contractors\n                       were not required to coordinate hardware purchases, utilize\n                       centralized authorities to approve IT purchases, or adopt a\n                       consistent approach to maintaining accountability over IT\n                       hardware.\n\n                       The Department had not required the development and\n                       implementation of either complex-wide or site-specific IT\n                       hardware standards. Although standards were developed as\n                       part of the Department of Energy Common Operating\n                       Environment at Headquarters, they had not been expanded\n                       to facility contractors in the field - organizations that\n                       account for about 87 percent of the Department\'s\n                       workforce. Similarly, users were not always required to\n                       con~plywith existing site standards. For instance, hardware\n                       standards were routinely not enforced at ORNL.\n\n                       Furthermore, the Department had not developed and\n                       implemented polices requiring coordination of IT hardware\n                       purchases both within sites and across the complex to take\n                       advantage of opport~initiesfor volun~ediscounts.\n                       Specifically, acquisition authority, including IT approval\n                       and funding authority, remained decentralized at most of\n                       the sites reviewed. For instance, neither the site CIO\'s nor\n                       acquisition officials were generally responsible for\n                       monitoring purchases to allow them to identify the types\n                       and costs of hardware being acquired. The impact of such\n                       practices was observed at ORNL and Berkeley where\n\n\n\nPage 5                                                        Details of Finding\n\x0c                    organizations regularly acquired various hardware using\n                    purchase cards and other methods that did not permit\n                    buyers to obtain available discounts.\n\n                    Although facility contractors had negotiated agreements for\n                    certain products through the Integrated Contractor\n                    Purchasing Team (ICPT), sites were not required to use\n                    them. For instance, the primary official responsible for\n                    overseeing the lCPT stated that it was difficult to obtain the\n                    lowest prices from vendors without mandatory participation\n                    from all sites because a consistent volunle of purchases\n                    could not be ensured. We also noted that the ICPT had not\n                    established a complex-wide agreement for a particular\n                    brand of hardware despite expenditures of more than\n                    $27 million over the past three years. Similar opportunities\n                    also existed for establishing agreements for other brands of\n                    IT hardware used by the Department. As noted in our\n                    recent report on Information Technology Support Services\n                    at the Department of Energy\'s Operating Contractors\n                    (DOEIIG-0725, April 2006), significant savings can be\n                    realized if the Department develops and implements a\n                    complex-wide IT acquisition strategy.\n\n                    Also, inconsistent implementation of inventory control\n                    procedures contributed to sensitive equipment not being\n                    effectiveIy tracked throughout its lifecycle. Despite the\n                    findings and recomnlendations included in our report on\n                    Marzugement of Sensitive Equipment at Selecterl Locations\n                    (DOEIIG-0606, June 2003), the Department permitted field\n                    sites to set their own thresholds for the type of hardware\n                    being inventoried. Although Department policy stresses\n                    the importance of controlling sensitive items such as\n                    desktops, laptops, and personal digitaI assistants regardless\n                    of value, the policy also permits local officials to exclude\n                    such highly attractive items from inventory procedures,\n                    even though these items can be easily pilfered and have the\n                    capability to contain significant amounts of sensitive\n                    information. Conflicting policy such as this makes it\n                    difficult to ensure that sites are maintaining effective\n                    control over attractive hardware\n\nOpportunities for   Without improvenlents, the Department will continue to\nSavings             spend more than necessary acquiring IT hardware and face\n                    difficulty ensuring accountability over certain high-risk\n                    equipment. Specifically, the Department could potentially\n\n\n\n\nPage 6                                                      Details of Finding\n\x0c                  realize savings of about $16.6 million over the next five\n                  years at the sites reviewed by better controlling hardware\n                  costs and implementing standards for certain equipment\n                  (see Appendix 2 for details). The Department also had an\n                  increased risk of unidentified theft of hardware and\n                  infornlation by not requiring accountability for all highly\n                  attractive items, such as less expensive desktops and\n                  laptops, personal digital assistants, and certain other IT\n                  hardware. With the potential for significant cost savings\n                  and improved accountability, we believe it is vital that the\n                  Department act to more effectively manage its hardware\n                  acquisition and control processes across the complex.\n\n\nRECOMMENDATIONS   To address the issues identified in this report, we\n                  recommend that the Administrator, NNSA, and the Under\n                  Secretaries for Energy and Science, coordinate with the\n                  Department\'s and NNSA\'s Chief Information Officers to:\n\n                      1. Develop and implement hardware standards and\n                         related replacement policies, as appropriate, and\n                         utilize such standards as a basis for streamlining\n                         acquisitions;\n\n                     2. Ensure that hardware purchases are coordinated\n                        between Headquarters and field sites, to include\n                        consideration of enterprise agreements, where\n                        appropriate;\n\n                     3. Develop and implement consistent asset\n                        management policies for maintaining accountability\n                        over IT hardware; and,\n\n                     4. Implenlent mechanisms to effectively monitor and\n                        control the cost of IT hardware purchases.\n\n\nMANAGEMENT        Management concurred that action is necessary to improve\nREACTION          the Department\'s practices for acquiring commodity-type\n                  IT hardware and indicated that it plans to take certain\n                  actions relative to the recommendations in our report.\n\n                  Specifically, the Department plans to develop guidance that\n                  encourages aggregation of requirements for IT hardware\n                  intended to lead to cost savings through economies of scale.\n                  Management also plans to explore the estabIishment of\n\n\n\nPage 7                                Recommendations and Comments\n\x0c           enterprise agreements for IT hardware that can be utilized\n           by facility contractors. In addition, management agreed\n           that accountability must be maintained over IT hardware\n           through consistent asset management and noted that a\n           review will be performed to determine the need for\n           additional policy developn~entand implementation relevant\n           to this area.\n\n           The NNSA indicated that the Department\'s CIO established\n           a desktop minimum hardware configuration that will be\n           made available to contractors for their consideration.\n           However, NNSA officials did not agree that implementing\n           universal hardware standards complex-wide will\n           necessarily result in cost benefits. NNSA management also\n           noted that its facility contractors recently agreed to work\n           cooperatively using common procurement tools in the\n           development of complex-wide acquisition vehicles for\n           common commodities. Officials believed that this effort\n           will assist in monitoring and controlling the costs of IT\n           hardware. In addition, management indicated that\n           consistent policies are in place for maintaining\n           accountability over IT hardware.\n\nAUDITOR    Management\'s comments are generally responsive to our\nCOMMENTS   recommendations. We are encouraged that the Department\n           plans to explore opportunities for establishing IT hardware\n           enterprise agreements, as we continue to believe that such\n           agreements with certain vendors will assist in reducing the\n           overall cost of acquisition.\n\n           We are hopeful that the NNSA\'s new strategic sourcing\n           effort could, when completely implemented, reduce overall\n           costs of IT hardware acquisition. We disagree, however,\n           with the NNSA\'s assertion that developing and\n           implementing hardware standards will not necessarily lead\n           to cost savings. As noted in the body of the report, we\n           identified several examples of cost savings that could be\n           achieved through the development and application of\n           common standards. We also disagree with the NNSA\'s\n           assertion that it has implemented consistent policies for\n           maintaining accountability over IT hardware. Specifically,\n           as noted in the report, Sandia was permitted to exclude\n           certain sensitive equipment from its inventory process, a\n           practice that is inconsistent with other NNSA sites\n           reviewed.\n\n           Management\'s comments are included in their entirety in\n           Appendix 4.\n\n\nPage 8                                                  Comments\n\x0cAppendix 1\n\n\nOBJECTIVE     To determine whether the Department of Energy (Department)\n              had effectively managed its acquisition and control of\n              information technology hardware.\n\n\nSCOPE         The audit was performed between December 2005 and March\n              2007 at Department Headquarters in Washington, DC, and\n              Germantown, MD; the Lawrence Livermore National\n              Laboratory, Livermore, CA; the Lawrence Berkeley National\n              Laboratory, Berkeley, CA; the Oak Ridge National Laboratory\n              and the Y-12 National Security Complex, Oak Ridge, TN; the\n              Sandia National Laboratories and the National Nuclear\n              Security Administration (NNSA) Service Center, Albuquerque,\n              NM; and the Savannah River Site, Aiken, SC. We also\n              obtained information from the Los Alanios National\n              Laboratory, Los Alamos, NM.\n\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                     Reviewed applicable laws and regulations pertaining to\n                     acquisition and maintenance of information technology\n                     hardware, as well as guidance issued by the Office of\n                     Management and Budget;\n\n                     Reviewed reports issued by the Office of Inspector\n                     General ;\n\n                     Reviewed numerous documents related to the\n                     Department\'s management of hardware acquisition and\n                     maintenance activities:\n\n                     Held discussions with program officials and personnel\n                     from Department Headquarters and field sites reviewed,\n                     including representatives from the Offices of the Chief\n                     Information Officer, Environmental Management,\n                     Office of Science, and Fossil Energy, as well as NNSA;\n                     and,\n\n                     Reviewed the Government Performance and Results\n                     Act of 1993 and determined if performance measures\n                     had been established for managing hardware\n                     acquisition.\n\n\n\nPage 9                            Objective, Scope, and Methodology\n\x0cAppendix I (continued)\n\n\n                    The audit was conducted in accordance with generally accepted\n                    Government auditing standards for performance audits and\n                    included tests of internal controls and compliance with laws\n                    and regulations to the extent necessary to satisfy the audit\n                    objective. Accordingly, we assessed intemal controls\n                    regarding the acquisition and maintenance of hardware across\n                    the Department. Because our review was limited, it would not\n                    necessarily have disclosed all internal control deficiencies that\n                    may have existed at the time of our audit. We also assessed\n                    perfomlance measures in accordance with the Governnzent\n                    Performance and Results Act of 1993 regarding acquisition and\n                    maintenance of software. We found that none of the seven\n                    field sites visited had established measures specific to\n                    achieving cost savings associated with hardware acquisition.\n                    While we did not rely solely on con~puter-processeddata to\n                    satisfy our audit objective, we confirmed the validity of such\n                    data, when appropriate, by reviewing supporting source\n                    docun~entssuch as contracts and invoices.\n\n                    The Office of the Chief Infornlation Officer and the NNSA\n                    elected to waive the exit conference.\n\n\n\n\nPage 10                                   Objective, Scope, and Methodology\n\x0cAppendix 2\n\n\n                                               POTENTIAL SAVINGS\n\n\nTo determine potential savings relevant to standardizing information technology (IT)\nhardware across the Department of Energy (Department), we compared the average costs\npaid for desktops and laptops at the three National Nuclear Security Administration\nlaboratories reviewed, as well as the two Office of Science laboratories reviewed. Based on\nour calculations, we determined that the sites could save about $7.9 million over the next five\nyears if hardware standards are implemented at sites with similar operational functions. In\naddition, had the Oak Ridge National Laboratory enforced standards for desktops and laptops\nfor only one-half of its users, we determined that savings of $2 million could be realized.\nFurther, we found that the development and implementation of standards for certain portable\nstorage devices could result in savings of $464,275.\n\nIn addition, we calculated the savings that could be realized from effectively managing\nacquisition of 1T hardware. Specifically, we reviewed information provided by Savannah\nRiver Site and compared this to industry estimates relevant to monitor life-cycles. Based on\nour review, we determined that the site could save about $1.1 million over the next five years\nby purchasing computer monitors rather than leasing new ones every three years.\nAdditionally, we detennined that the sites reviewed could save about $5 million over the next\nfive years acquiring computer monitors at the lowest prices available through other existing\nagreements.\n\nThe table below details the possible savings the Department could realize over the next five\nyears.\n\n\n\n                      Product\n                                                     Identified Annual\n                                                          Savings\n                                                                                              Potential Savings\n                                                                                                  (5 years)                I\n     Hardware Standards Savings\n                                     -\n                                                 ,   --            $1,583,659         --\n~           N Standardization\n                     L                                              $409,457                                  $ 2 , 0 4 7\nL      Portable\n       -   -storage devices                      I                    $92,855    1    p   p    p   p   p\n                                                                                                                $464,2751\n                                                                                                                -\n\n\n           Subtotal\nb e n t - R i t e d savingsp\n1       Savannah River Monitor Lease\n                                  -  -\n1       Monitor Purchases                                                                                     $5,000,045   1\n     -Subtotal\n      -                                                                                                       $6,143,737\n1    TOTAL                 --                    1              $3,314,718       1-                        * 16,573,593\n    * Reflc~ctsonly potentic11.sc~vitlg.sc~t limitr(1 nurt~berof the sites reviewed.\n                                          (I                                              We \\$\'ere unc~hleto calciilate\n    Depc~rtmrnt-widesnving.~.\n\n\n\n\n    Page 11                                                                                                Potential savings\n\x0cAppendix 3\n\n\n                                    PRIOR REPORTS\n\nOffice of Inspector General Reports\n\n   Information Technology Support Senices at the Department of Energy\'s Operating\n   Contractors (DOEJIG-0725, April 2006). The Department of Energy (Department)\n   continues to face challel~gesrelated to contractor procured or fumishcd infom~ation\n   technology (IT) support services. The Department had not established a comprehensive\n   framework to provide a corporate approach to providing IT support services that included\n   contractor-managed sites. Furthermore, the Department did not require contractors to\n   adopt other available methods for reducing costs such as coordinating with established\n   consortium buying groups to consolidate demand and obtain volume discounts. Without\n   improvements, the Department will be unable to realize potential cost savings at\n   numerous contractor-managed sites.\n\n   hfunugentent of the Departmetzt\'s Desktop Compilter Softwure Enterprise License\n   Agreements (DOEJIG-0718, January 2006). The Department had not adequately\n   managed the acquisition and maintenance of desktop computer software licenses. While\n   it did establish several enterprise agreements, it had not developed a complex-wide\n   desktop software acquisition and maintenance strategy. Without improvements focused\n   on increasing software management effectiveness, the Department may be unable to\n   realize savings of at least $3.2 million over the next five years.\n\n   Munagement Ch~lllengesat the Department of Energy (DOEIIG-0748, December 2006).\n   The Office of Inspector General (OIG) identified seven significant management\n   challenges facing the Department, including cyber security. In addition, the OIG\n   identified a "watch list" of emerging issues that warrant continued attention. The report\n   noted that although the Department had taken a number of positive actions in Fiscal Year\n   2006 relevant to cyber security, weaknesses still existed relating to establishing a\n   complex-wide inventory of information systems and implementation of an effective\n   certification and accreditation process.\n\n   Developmetzt and Implementation o f the Department\'s Enterprise Architecture (DOEIIG-\n   0686, April 2005). The Department had not completely defined its current or future\n   information technology requirements, such as desired systems, supporting applications\n   and hardware, and technology standards. Without improvements, the Department may be\n   unable to implement an effective corporate approach for managing ill formalion\n   technology investments.\n\n   M~~ttugemetlt o f Sensitive Eyuiprnet~tat Selected Locutiotts (DOEJIG-0606, June 2003).\n   Management at specific sites was able to locate virtually all sensitive equipment selected\n   during the review. However, Department officials had not ensured compliance with local\n   guidance and best practices pertaining to control, tracking, and protection of sensitive\n   property by contractors. Without improvements sites remain susceptible to misuse, theft,\n   or other diversion of Government property.\n\n\nPage 12                                                                       Prior Reports\n\x0cAppendix 4\n\n\n\n\n                                      Department of Energy\n                                        Washington. DC 20585\n\n\n                                            May 3 1.2007\n\n\n\n    MEMORANDUM POR RICKEY R. HASS\n                   ASSISTANT INSPECTOR GENERAL\n                     FOR FINANCIAL, TECHNOLOGY AND\n                     CORPORATE AUDITS\n\n    FROM:                   THOMAS N. PYKE. JR.    .>- .-\n                            CHIEF INFORMATION   OFFICER\n\n    SOBJ EC\'I\':             Itesponse to lnspector Gewral\'s DraR Report, A06TG072, Facility\n                            Contractor Acquisition and Management o f Infornution Technology\n                            Hardware\n\n\n   The Department o f Energy has reviewed the Inspector General\'s Draft Report, A06TCiO22,\n   Facility Contractor Acquisition a ~ Managerncnt\n                                       d           of Infornlat ion Technology Hardware, dated\n   March 23. 2007.\n\n   According to the Office o f the Inspector General\'s (OIG) audit results stated in this Drafl Repo~t.\n   certain facility contractors have not adcquately managcd the acquisition and control o f IT\n   hardware. The OIG concluded that the Department has not developed a coordinated approach to\n   IT hardware acquisition, managenlent and control. We appreciate the OIG\'s recognition that the\n   Departnlent has taken actions to establish hardware standards for headquarters, through the\n   Department o f Encrgy Common Opcrating Environment, DOECOE.\n\n   We concur that action is necessary to guidc the Department to improve its practices for acquiring\n   commodity-type IT hardware, such as personal computers and monitors. The Office o f the Chicf\n   Information Officer (OCIO) plans to develop guidance for the Department that encourages\n   aggregation o f requirements for such quipment, for each site and across sites whcre possible.\n   The guidance will focus o n steps that can be taken to benefit fiom an economy o f scale, where\n   practical, whilc meeting user requirements. In addition, thc guidancc will provide input to the\n   acquisition process that will assist in making IT hardware refresh decisions based on a i l l\n   understanding o f the life cycle factors that should be considered to ensure acceptable long-term\n   performance at lowest long-term cost of ownership. In developing this guidance. OClO intends\n   to work closely with the National Nuclear Security Administration (NNSA) Administrator, the\n   Under Stxretaries for Encryy and Sciencc, and the Office of Management.\n\n\n\n\nPage 13                                                                         Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n            REC\'OMMENDATIONS\n\n           R e c o m m e n d a t i o ~1:~ \'The OIG recommends that the Administrator. National Nuclear Security\n           Administration (NNSA) and the Under Secretaries for Energy and Scicnce. coordinate with thc\n           I)epa~.tnlent\'sC I O and t l ~ eNNSA CIO to develop hardware standards and related refresh\n           policies. as appropriate.\n\n           .Management 1)ecision: 0 C 1 0 will develop guidance for t h e D e p a r t m e n t t h a t encourages\n           aggregation of r e q u i r e m e ~ ~ftos r such equipment, intended to lead t o cost savings through\n           economies of scale wliere practical.\n\n           \'The Ollice o f the Chief Information Officer (OCIO) plans to develop guidance, working closcly\n           with the NNSA Administrator, the Under Secretaries for Energy and Science, and the Office o f\n            Management that encourages aggregation of requirements for commodity-type IT l~ardware\n           equipnlent, for each site and across sites, where possible, so steps can be taken to benefit from\n           economies o f scale in acquisition and support, where practical, while meeting user requirements.\n            In addition, the guidance will address I T hardware refresh decisions based on a full\n           understanding of the life cycle factors that should be considered to ensure acceptable long-term\n           performance at lowest long-term cost ofownership. The guidance will be prepared in thc\n           contcxt o f the Department\'s Enterprise Architecture management process. O C l O \' s intent is to\n           completc preparation o f t h i s guidance within the next six months.\n\n           R e c o n l n ~ e ~ ~ d a t 2:\n                                       i o nThe 0 1 G recommends that the Administrator, NNSA and the Under\n           Secretaries for Energy and Scicncc, coordinate with the Director, Office of Management; the\n           NNSA Scnior Procure~ncntExecutive; and the Department\'s and NNSA\'s Chief Infor~ilation\n           Officers to iniplcment hardware standards and related rcfrcsh policies, and utilize such standards\n           a s a basis for streamlining acquisitions\n\n           M a n a g e m e n t Decision: OCIO will develop guidance for t h e D e p a r t m e n t t h a t encourages\n           aggregation of r e q u i r e m e n t s f o r such equipment, intended t o lead t o cost savings t h r o u g h\n           economies of scale where practical.\n\n            I\'ha planncd guidance is intended to support streamlined acquisition ofcommodity-type I T\n           hardware, especially in the field, without unnecessarily constraining such acquisitions by spcc~fic\n           standards that could quickly b e c o n ~ cobsolctc in such a fast-moving technological area. Special\n           consideration will also be given to the dynamics o f marketplace pricing for acquisition o f\n           comnlodity-type IT hardware products to ensure that the Government is able to take advantage of\n           marketplace reduc~ionsin price that sometimes occur in a relativcly short time period for these\n           types o f products. Using this guidance, the NNSA Administrator and the Undcr Sccretariss for\n           Energy and Science would be in a better position to provide direction through appropriate\n           contractual means to improve acquisition o f such equipment by their field organizations.\n\n           R e c o n ~ r n e n d a t i o n3: .l\'hc 0 1 G recommends that the Adniinistrator, NNSA and thc Undcr\n           Secretaries lor Energy and Science. coordinate with the Director, OVfice of Management; the\n           NNSA Senior Procurement Executive; and the l)epartment\'s and NNSA\'s Chief Information\n\n\n\n\nPage 14                                                                             Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n            Otficer to ensure that hardware purchases are coordinated between Headquarters and field sitcs,\n            to include consideration o f enterprise agreements, where appropriate.\n\n            M a r ~ n g c r n c n Decision:\n                                  t         O C l O will develop g u i d a n c e f o r t h e D e p a r t m e n t t h a t encourages\n            aggrcgatiun o f r e q u i r e m e n t s f o r s u c h e q u i p n ~ e n t .intended to lead t o cost savings t h r o u g h\n            economics of\' scale w h e r e practical.\n\n            We believe that the developn~entand use ofappropriate guidance will motivate improved\n            acquisition practices at headquarters and at field sites for c o n ~ m o d i t y - t w eIT hardware, but that\n            it is unlikcly that enterprise agreements will have the same positive effect on reducing\n            commodity-type 17- hardware costs as d o enterprise software agreements, including Sn~artBuy.\n            This conccrn is raised because o f expected practical problenls o f establishing and maintaining\n            effective agreements in thc face o f Vast-changing technology and resulting continual\n            improvenicnts in performance/cost in this marketplace. O C l O will. however. explore the\n            possible use o f enterprise agreements for commodity-type IT hardware similar to those in place\n            lor sofiwarc, in which the cntcrprise agrcc~nentswould be available for consideration by DOE\n            licility contractors, a s appropriate, to meet their requirements.\n\n            R c c o n ~ n ~ e r ~ d a t4:\n                                       i o nThe 0 1 G recommends that the Administrator, NNSA and thc Under\n            Secretaries for Energy and Science, coordinate with the Director, Office o f Management; the\n            NNSA Senior Procure~ncntExecutive; and the Department\'s and NNSA\'s Chieflnformation\n            Officer to develop and implement consistent asset management policies for maintaining\n            accountability over IT hardware\n\n            ~ M a n a g e n l c n tDecisior~: C o n c u r\n\n            The Department agrees it must nwintain accountability over I T hardware through consistent asset\n            management policies. The Draft Report indicates that several sites have not maintained\n            accountability Ibr a substantial volume o f IT hardware through consistent asset management, in\n            c o n ~ p l i a n c ewith Departmental policy.\n\n            The Dcpartment agrccs that an asset management challenge exists arising from a failure to\n            comply with existing policy. The Depart nrent believes that its asset management policies for\n            maintaining accountability ovcr IT hardware are adequate, based upon the results of\'thc ( l l G\n            audit. However, compliance remains an issue. The NNSA Admillistrator and the Under\n            Sccretaries for Energy and Science in coordination with the Department\'s and NNSA\'s Chief\n            Intormation Officers. in consultation with the NNSA and DOE Senior Procurement Executives,\n            will perform a review to determine any need for additional policy developnrent and\n            implementation, and take neccssary corrective actions to ensure compliance with DO]; Property\n            Management policy.\n\n            l l c c o m n r e n d a t i o r ~5: T h e O1G recommends that the Administrator, NNSA and the Lndcr\n            Secretaries for Energy and Science, coordinate with the Director, Offlce ot\' Management; the\n            NNSA Senior Procurement Executive; and the Department\'s and NNSA\'s Chief Information\n            Ofiicers to implemenl mechanisnrs to effectively monitor and control the cost o f IT hardware.\n\n\n\n\nPage 15                                                                             Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n            ;Managenlent 1)ccision: C o n c u r\n\n            \'l\'he development and application o f the planned guidance that encourages aggregation o f\n            requirenlents Ibr commodity-type 1\'1\' hardware equipment is intended to provide cost savings\n            through economies o f scale where practical. The NNSA Adrninislrator and lhe Under\n            Secretaries for Energy and Science will coordinate with the Deparlment\'s and NNSA\'s Chief\n            Information Officers in consultation with the NNSA and DOE Senior Procurement Executives.\n            to review current policies, processes, and procedures for acquisition o f comrnodiry-type 11\'\n            hardware, a s well a s best practices within the D0b:COE Program and other 1.1. support programs,\n            to determine if additional actions are indicated.\n\n\n\n\nPage 16                                                                 Managenlent Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n                                       Department of Energy\n                                National Nuclear Securlty Administration\n                                         Washington, DC 20585\n\n                                            M a y 7 , 2007\n\n\n\n             .MEMORANDUM FOR                Rickey R. Hass\n                                            Assistant Inspector Gencial\n                                              for ~inancial,Technology, and Corporate Audi~s\n\n             FROM:                          Associatec.Administrator\n                                            Michael     K\n                                                        &\n                                                        F\n                                                        U\n                                                        @\n                                                        I&-\n\n                                               For Management and~drninistration\n\n             SUBJECT:                       Comments to Drat? Report on Contractor\n                                            Acquisition and Management of Momation\n                                            Technology Hardware, A06TG022\n\n\n             T h e National Nuclear Security Administration (NNSA) appreciates the\n             opportunity to review the Inspector General\'s (IG) draft report, "Facility\n             Contractm Acquisition and Management of Information Technology\n             E3ardwarc." We understand that the IG conducted this audit to determine\n             whether we had effectively managad our acquisition and control of\n             Information Technology (IT) hardware.\n\n             NNSA offers the following comments to the report and the corresponding\n             recommendations:\n\n             To address the issues identified In this report, we recommend that the\n             Administrator, NNSA and the Under Secretaries for Energy and\n             Science, coordinate with the Department\'s CIO and the NNSA CIO\n             to:\n\n                 1.   Develop hardware standards m d related refresh policies, as\n                      appropriate.\n\n             NNSA does not concur with the recommendation. If the rccornmendation\n             i s directed towards t l ~ eFederal establishment, then the Department\'s Chief\n             Information Officer is already taking the actions that are being\n             recommended. A complex-wide desktop minimum hardware standard\n             configuration i s established. The documentation o f the Federal standard\n             desktop hardware standard configuration will be made available to\n             contractors as a tool for their consideration in determining the most\n             efficient and effective method in determining the overall Teast cost\n             approach for that part of the contractor\'s operations that support\n\n\n\n\nPage 17                                                               Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n              performance objectives. NNSA does expect our contractors to perfonn\n              sound procurement practices including the assessment of commodities for\n              the best procurement method. In fact, NNSA M&O contractors recently\n              signed a~mernorandumof understanding whereby they agreed to work\n              cooperatively using common procurement tools in the development of\n              complex-wide acquisition vehicles for common commodities.\n\n              We also recommend that the Administrator, NNSA and the Under\n              Secretaries for Energy and Science coordinate with the Director,\n              Office of Management; the NNSA Senior Procurement Executive; and\n              the Department\'s and NNSA\'s Cbief Information Officers to:\n\n              While the wording of the recommendation is correct, NNSA believes that\n              the recommendation, in this case. should be directed towards the major\n              program elements so that the desires of the major program elements are\n              not discounted. T h e references to the Office of Management, Senior\n              Procurement Executive and Chief Information Officers can, therefore, be\n              deleted. It is the major program elements that have the budgetary\n              authority and management and oversight of the contract instruments.\n\n                  2.   Implement hardware stsndards and related refresh policies, as\n                       appropriate, and utilize such standards as a basis for\n                       streamlining acquisitions;\n              NNSA has taken the approach that a performance measure in NNSA\n              contracts that rewards the contractor for good business practices will lead\n              to more efficient, effective acquisitions regardless of the establishment of\n              standards. The establishment of standards has to be written at such a level\n              to allow individual sites the latitude to exercise IT procurements with\n              small businesses or participate in strategic sourcing. To establish\n              standards with any less flexibility means that cost benefits may not be a\n              reality. NNSA does not agree that implementing universal hardware\n              standards complex-wide will necessarily result in cost benefits or even act\n              as a basis for streamlined acquisitions. Adherence to sound business\n              practices following the concepts of strategic sourcing as outlined in our\n              contractor\'s memorandum of understanding certainly will realize cost\n              benefits\n\n                 3.    Ensure that hardware purchases are coordinated between\n                       Headquarters and field sites, to include consideration of\n                       enterprise agreements, where appropriate;\n\n              M&O subcontract consents are performed by each NNSA Site Office if\n              the specific acquisition meets the established thresholds for subcontract\n              reviews. HCA subcontract consent is required for larger subcontracts.\n              NNSA expects each M&O to utilize strategic vehicles wherever possible.\n              The memorandum of understanding between all NNSA M&O\'s will\n\n\n\n\nPage 18                                                            Management Comments\n\x0cAppendix 4 (continued)\n\n\n\n\n             facilitate the creation and utilization of complex-wide acquisition vehicles\n             in addition to those developed by the ICPT and all M&07shave the\n             requirement to participate in complex-wide strategic sourcing as part of\n             their performance evaluation. Further wordination and review at the\n             Headquarters level is not necessary.\n\n                   4.   Develop and implement consistent asset management policies\n                        for maintaining accountability over IT hardware; and,\n             NNSA has consistent policies in place for maintaining accountability over\n             IT hardware. Since asset management is an integral step of Supply Chain\n             Management, each of NNSA\'s contractors have approved acquisition and\n                      management (which includes disposition)-systems. These\n             systems are amroved bv the Federal estabhshrnent and are reviewed.\n             wdited, and&; tested on a scheduled basis.\n                   5.   Implement mechanlums to effectively monitor and control the\n                        cost of IT hardware purchases.\n\n             This recommendation gives the reader the impression that control of costs\n             must occur centrally. That would put NNSA\'s contractors into a\n             \'compliance\' environment when we are, in fact, moving into a Contractor\n             Assurance Systdmanagcment of risk environment. We believe that\n             there will be a logical progression into cost effectiveness, cost eficiency\n             as long as our contractors realize that it is beneficial to them to implement\n             good business practices even if it means working with other laboratories\n             and production facilities. NNSA has developed visibility into subcontract\n             spend data and has begun to utilize the data to work hand-in-hand with the\n             M&O contractors to identify commodities for strategic sourcing.\n\n             Should you have any questions related to this response, please contact\n             Richard Speidel. Director, Policy and Internal Controls Management.\n\n             cc:        David Boyd, Senior Procurement Executive\n                        Linda Wilbanks, Chief Information Officer\n                        Karen .Boardman, Director, Service Center\n\n\n\n\nPage 19                                                               Management Comments\n\x0c                                                             IG Report No. DOEIIG-0768\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector Gencl-al has a continuing interest in improving the usefulness of\nits products. We wish to make o11r reports as responsive as possible to our customers\'\nrequirements, and, thcreforc. ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nrcports. Plcase include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this rcpoi-t\'?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing correct; ve actions?\n\n3. What format. stylistic, or organizational changes might have made this report\'s\n   overall messagc more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5 . Please include your name and telephone number so that we may contact you should\n    we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail i t to:\n\n                           Office of Inspector General (IG- I)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0c\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n               U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.ener~y.gov\n\n  Your comments ~ l o u l dbe appreciated and can be provided on the Customer Response Form.\n\x0c'